Simple Machines Community Forum

Customizing SMF => SMF Coding Discussion => Topic started by: recordset on November 27, 2010, 09:02:34 AM

Title: How to resolve PHPSESSID.
Post by: recordset on November 27, 2010, 09:02:34 AM
SMF 2.0 RC4

When Guest visit url


CSS url , image url incorrect


Sources/QueryString.php

search

if (empty($_COOKIE) && SID != '' && empty($context['browser']['possibly_robot']) && @version_compare(PHP_VERSION, '4.3.0') != -1)
$buffer = preg_replace('/"' . preg_quote($scripturl, '/') . '(?!\?' . preg_quote(SID, '/') . ')\\??/', '"' . $scripturl . '?' . SID . '&', $buffer);
// Debugging templates, are we?
elseif (isset($_GET['debug']))
$buffer = preg_replace('/(?<!<link rel="canonical" href=)"' . preg_quote($scripturl, '/') . '\\??/', '"' . $scripturl . '?debug;', $buffer);



Replace


if (empty($_COOKIE) && SID != '' && empty($context['browser']['possibly_robot']) && @version_compare(PHP_VERSION, '4.3.0') != -1){
//$buffer = preg_replace('/"' . preg_quote($scripturl, '/') . '(?!\?' . preg_quote(SID, '/') . ')\\??/', '"' . $scripturl . '?' . SID . '&amp;', $buffer);
// Debugging templates, are we?
}elseif (isset($_GET['debug'])){
$buffer = preg_replace('/(?<!<link rel="canonical" href=)"' . preg_quote($scripturl, '/') . '\\??/', '"' . $scripturl . '?debug;', $buffer);
}


www.lampanglife.com




Title: Re: How to resolve PHPSESSID.
Post by: Kindred on December 03, 2010, 10:53:25 AM
If this a question, a suggestion or what?   You post did not include any details other than your code snippet and so it is unclear what you are asking.
Title: Re: How to resolve PHPSESSID.
Post by: BartB on January 06, 2011, 08:05:19 AM
Quote from: Kindred on December 03, 2010, 10:53:25 AM
If this a question, a suggestion or what?   You post did not include any details other than your code snippet and so it is unclear what you are asking.

He's not asking anything, he's giving us a solution (yay!) for a long-lasting problem that I too had with my forum:

If a user typed my site-URL and did not have a cookie set for my forum, he/she would see the URL in the address bar, with the dreaded additional ?PHPSESSID=blahblah.
Not all too bad, but the main problem was (in my case) that this resulted in an '500' Internal server error.

This has been mentioned a lot over the years that SMF exists now, and nobody really came with a solution other than "it's a server thing".

The code snippet in the first message IS indeed solving the problem. So I'm happy :) All I would want to know is: Is this solution a proper one, safe one, recommended one?
Title: Re: How to resolve PHPSESSID.
Post by: Kindred on January 06, 2011, 09:18:30 AM
that sessionID stuff is SECURITY...   just removing a line of code like that is ***NOT*** a "solution", it's a hack..    a hack which potentially leads to other problems.

If your site has problems with the sessionID, then you host/server is misconfigured.
Title: Re: How to resolve PHPSESSID.
Post by: BartB on January 06, 2011, 07:00:09 PM
Ok. Gotcha. Repaired it again :)

Sigh. Now "all I need to do" is convince the hoster that they misconfigured the server. Usually teaching your cat to sing the national anthem is an easier task than that, but I'll try :)
Title: Re: How to resolve PHPSESSID.
Post by: Acans on January 07, 2011, 04:29:13 AM
I think we'll move this out of the bug reports board and to SMF Coding Discussion.
Title: Re: How to resolve PHPSESSID.
Post by: Masterd on January 10, 2011, 06:03:22 AM
As Kindred said, PHPSESSID is not a problem. Without this your forum will not function properly. There are many other topics where you can see that this is not a problem.
Title: Re: How to resolve PHPSESSID.
Post by: DoctorMalboro on January 10, 2011, 10:27:45 AM
Quote from: Masterd on January 10, 2011, 06:03:22 AMAs Kindred said, PHPSESSID is not a problem. Without this your forum will not function properly. There are many other topics where you can see that this is not a problem.

Specially when someone registers...
Title: Re: How to resolve PHPSESSID.
Post by: Kays on January 10, 2011, 11:21:51 AM
The line which is commented out in the OP adds &amp; to the PHPSESSID as a separator. I wonder if this is what is giving the problem. I can't get it to break the url on my test site but I have seen problems reported before. Just never know until now where the dreaded PHPSESSID was set up.

Try replacing it with a semi-colon. ";"


      $buffer = preg_replace('/"' . preg_quote($scripturl, '/') . '(?!\?' . preg_quote(SID, '/') . ')\\??/', '"' . $scripturl . '?' . SID . ';', $buffer);


It doesn't seem the break anything or produce errors.
Title: Re: How to resolve PHPSESSID.
Post by: opensourcelounge on January 14, 2011, 01:52:32 PM
I just installed 2.0 RC4 and had the vary same problem. php.ini settings are

session.use_trans_sid = 0

and tried both 1 and 0 for
session.use_only_cookies boolean

It seems to be a bug to me.
Title: Re: How to resolve PHPSESSID.
Post by: Kindred on January 14, 2011, 02:22:04 PM
what is a bug? the fact that is displays a sessionID or the fact that your host is misconfigured for the use of ; and & in urls?
Title: Re: How to resolve PHPSESSID.
Post by: opensourcelounge on January 14, 2011, 02:28:12 PM
Quote from: Kindred on January 14, 2011, 02:22:04 PM
what is a bug? the fact that is displays a sessionID or the fact that your host is misconfigured for the use of ; and & in urls?
Not a bug, just wanted to remove PHPSESSID from URL.

Can you please tell me what is the correct configuration? I can see the same PHPSESSID case with www.simplemachines.org. Open the site after deleting cookies, you'll see URLs like the following
http://www.simplemachines.org/community/index.php?P=af0fc27af4d184847c5508187e66f317&board=1.0
http://www.simplemachines.org/community/index.php?P=af0fc27af4d184847c5508187e66f317&board=19.0
Title: Re: How to resolve PHPSESSID.
Post by: Kindred on January 14, 2011, 02:40:24 PM
yes, sessionID is ***INTENDED*** to be in the url. It's a security measure. It's done on purpose and we're not going to tell you how to remove a purposeful security measure.
Title: Re: How to resolve PHPSESSID.
Post by: opensourcelounge on January 14, 2011, 02:43:02 PM
Right. But it is widely said that appending a session id is a security risk.
Title: Re: How to resolve PHPSESSID.
Post by: Illori on January 14, 2011, 02:47:12 PM
where is it widely said? provide some proof of your claims
Title: Re: How to resolve PHPSESSID.
Post by: opensourcelounge on January 14, 2011, 02:54:50 PM
It is written in PHP Manual's (http://www.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid).
Title: Re: How to resolve PHPSESSID.
Post by: IchBin™ on January 14, 2011, 03:00:06 PM
Quote from: opensourcelounge on January 14, 2011, 02:43:02 PM
Right. But it is widely said that appending a session id is a security risk.

That is why SMF removes the sessionID from the URL after only a couple of page loads. It's initially set for good reason. After you load a couple of more pages SMF no longer needs it set in the URL.
Title: Re: How to resolve PHPSESSID.
Post by: opensourcelounge on January 14, 2011, 03:09:55 PM
Quote from: IchBin™ on January 14, 2011, 03:00:06 PMThat is why SMF removes the sessionID from the URL after only a couple of page loads. It's initially set for good reason. After you load a couple of more pages SMF no longer needs it set in the URL.
But this may cause of indexing a same page with different URLs by search engine crawlers (one with PHPSESSID and one without ID). And I think Googlebot does not accept cookies/sessions. I don't know whether this thing really create duplicate pages or not :-\.
Title: Re: How to resolve PHPSESSID.
Post by: IchBin™ on January 14, 2011, 03:13:44 PM
I don't this is a problem. At least, I haven't seen anyone complain that they are getting duplicate URL's being indexed because of a session ID. If it is a problem, you can add a rule in the robots.txt file to circumvent this I'm sure.
Title: Re: How to resolve PHPSESSID.
Post by: Kindred on January 14, 2011, 03:23:13 PM
it does not affect google in any way, because SF 2.0 uses the cannonical tags
Title: Re: How to resolve PHPSESSID.
Post by: DoctorMalboro on January 14, 2011, 04:00:11 PM
Quote from: opensourcelounge on January 14, 2011, 03:09:55 PM
Quote from: IchBin™ on January 14, 2011, 03:00:06 PMThat is why SMF removes the sessionID from the URL after only a couple of page loads. It's initially set for good reason. After you load a couple of more pages SMF no longer needs it set in the URL.
But this may cause of indexing a same page with different URLs by search engine crawlers (one with PHPSESSID and one without ID). And I think Googlebot does not accept cookies/sessions. I don't know whether this thing really create duplicate pages or not :-\.

And then use your .htaccess to rewrite them as pretty URLs...
Title: Re: How to resolve PHPSESSID.
Post by: Arantor on January 14, 2011, 06:13:49 PM
OK, here's the deal.

SMF only adds PHPSESSID in to the URL to preserve session between loads in the cases it can't generate and keep a cookie on your computer. Since search engines didn't used to handle cookies too well, you ended up with PHPSESSID in the URL to keep the session flowing correctly. The session there isn't being used for security purposes, not really, but for tracking what the user (typically a guest) is doing around the forum for the purposes of who's online.

Thing is, there are numerous cases of the session id being in the URL just you don't notice it, because they're not for indexable pages - take a look at the link for marking a board read sometime. That long string of alphanumerics with an = in the middle... that's a session identifier. But there it's not used to indicate the session back to PHP, it's used to validate the session against the cookie to prevent a CSRF attack - that's the difference compared to PHPSESSID, PHPSESSID is there when there's no alternative.
Title: Re: How to resolve PHPSESSID.
Post by: Baby Daisy on January 14, 2011, 06:21:59 PM
Why is the session even put into $_GET in the first place?
Title: Re: How to resolve PHPSESSID.
Post by: Arantor on January 14, 2011, 06:25:10 PM
In the case of normal sessions (i.e. classic use of PHPSESSID), it's so that you actually persist sessions across multiple requests without cookie support. But that's mostly going back to the dark ages when cookies weren't pretty much *absolutely standard*.

As for putting the SMF-style session into the URL, that's so you prevent CSRF requests, by having the session id be provided separately to the cookie. In theory you could rewrite every instance that uses this into a POST request, but that would entail having even things like the mark boards as read link be a button, as well as the Pages:  1  2  3 thing in some cases being button based rather than link based.
Title: Re: How to resolve PHPSESSID.
Post by: Baby Daisy on January 14, 2011, 06:30:54 PM
So would it be more of a benefit to have those technical abilities built through $_POST than $_GET? Such as instead of feeding board ids through an array delimited in the URL, but through $_POST content and send through just the action itself?

Why doesn't SMF 2.0 do this considering cookie management is far more advanced than it was 10 years ago?
Title: Re: How to resolve PHPSESSID.
Post by: Arantor on January 14, 2011, 06:40:37 PM
Because SMF 2.0 was started 5 years ago...

Note I didn't get into the real meat of the detail. There are few requests you can make (anywhere) in SMF that use the session checking match between $_GET's copy of the session and what's in the cookie that are data changing. In theory it's supposedly for only low-grade data changing actions, like marking stuff unread/read, but in practice it's also used for things like the quick moderation actions where they are set to be icons. The real bulk of the session check is where it's submitted in POST, and that should be for every single form submission in SMF.

I bet you a lot of the real is look and feel; if you were to put every case where the session is sent in the URL into a POST form, you'd not only have to totally redesign the admin panel (since, for reasons I don't entirely understand, it sends the session identifier into the page on EVERY page in the admin panel even if it doesn't always session check the URL), but redesign every single page in the forum with any sensitivity, which would mean the mark as read/unread links, the quick moderation and plenty more besides - they'd all have to be forms, they'd all have to be processed as such, when using GET is often simpler, and in reality the security factor is not substantially different in that respect - the only difference is really where the session id ends up in the request, it's still PART of the request, just it's in the header rather than the body. (Though being in the request rather than body, it can end up in server logs more readily; it's no more secure against a packet sniffer either way)

The alternative would be to rewrite everything to use AJAX submissions to asynchronously send POST requests on your behalf. It's doable but adds the requirement of Javascript which right now isn't a requirement, but an enhancement (you can do many things in the forum simply without JS, just it's less 'nice')
Title: Re: How to resolve PHPSESSID.
Post by: Dblog on November 15, 2011, 12:02:12 AM
Quote from: Kindred on January 14, 2011, 03:23:13 PM
it does not affect google in any way, because SF 2.0 uses the cannonical tags

how silly !
even canonical urls have phpsessid tag
Title: Re: How to resolve PHPSESSID.
Post by: dantg on November 24, 2011, 10:40:43 AM
Hello!

I have same problem, here's the output from lynx including headers:


HTTP/1.1 200 OK
Date: Thu, 24 Nov 2011 15:34:09 GMT
Server: Apache
Set-Cookie: PHPSESSID=b374f67ac7697da81dd4eefd25ed9958; path=/
Pragma: no-cache
Cache-Control: private
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 24 Nov 2011 15:34:09 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <title>Indeks</title>
        <meta name="description" content="Forum - Indeks" />
        <link rel="shortcut icon" href="http://www.domain.com/favicon.ico" />
        <link rel="canonical" href="http://www.domain.com/index.php?PHPSESSID=b374f67ac7697da81dd4eefd25ed9958" />
Title: Re: How to resolve PHPSESSID.
Post by: Kindred on November 24, 2011, 11:32:17 AM
??? You have WHAT same problem?

The original post is a code hack (and an incorrect one that that), not a problem

If you are getting a 500 error, then try the code change suggested by Kays...

As for Cblog's comment... he's wrong, as usual.
Title: Re: How to resolve PHPSESSID.
Post by: Dblog on November 24, 2011, 12:09:31 PM
Quote from: Kindred on November 24, 2011, 11:32:17 AM
As for Cblog's comment... he's wrong, as usual.

try facebook debug tool on any of the urls in this community and see
Title: Re: How to resolve PHPSESSID.
Post by: Kindred on November 24, 2011, 12:24:46 PM
See what?   That Facebook is not parsing canonical correctly? Or that a debug tool from Facebook is silly?
Title: Re: How to resolve PHPSESSID.
Post by: dantg on November 24, 2011, 06:38:34 PM
Quote from: Kindred on November 24, 2011, 11:32:17 AM
??? You have WHAT same problem?

Giving every time different canonical to googlebot when it opens any page is very bad for indexing unique content by Google:

http://www.domain.com/index.php?PHPSESSID=b374f67ac7697da81dd4eefd25ed9958

it should be: http://www.domain.com/index.php or even better http://www.domain.com/

also relative linking to mainpage of SMF should be set to "/" not "/index.php" - but this is not so big problem as above about canonicals
Title: Re: How to resolve PHPSESSID.
Post by: Kindred on November 24, 2011, 07:47:45 PM
you really have no idea what you are talking about, do you?
Title: Re: How to resolve PHPSESSID.
Post by: dantg on November 25, 2011, 06:15:07 AM
Kindred, I have been doing SEO for over 10 years, and I know what kind of problems not unique canonical can bring. I don't have to use SMF in the future. Just wanted SMF to be even better than it is now, but if you don't want it, then it's not my problem. I feel like you are the masters and we: simple users saying that something is wrong in your job is like smack into your face. But it's not like that, and if you think it's like that it's childishness. End of transmission about this thread from me, it's useless.
Title: Re: How to resolve PHPSESSID.
Post by: Kindred on November 25, 2011, 09:59:29 AM
What I was saying is that we do not give a different canonical to google....


As for index.php versus root...   There is no difference.

(I too have been doing seo and websites, outside of SMF for decades)
Title: Re: How to resolve PHPSESSID.
Post by: wing on January 30, 2015, 03:10:30 PM
Digging this up from the dead in hope of some help.

On my site I'm getting these PHPSESSIO= things in some links from guests.

On our wordpress site we link (using SSI.php) to the forum directly.
so on this page:
http://www.autos.ca/car-test-drives/test-drive-2015-land-rover-range-rover-evoque-dynamic/

Down by "Reader's Comments" there is a link to the forum, if I'm logged in the forum the link is:
http://www.autos.ca/forum/index.php/topic,91251.0.html?

But if I'm a guest the link is:
http://www.autos.ca/forum/index.php?PHPSESSID=lml7v0bf07av75r9ev1fc8b1i5&/topic,91251.0.html?

The problem is when you click on the second link, instead of the page opening to the thread specifically it just goes to the main forum homepage.... not good.

We recently switched from apache to nginx/php-fpm  We checked all the trans and session variables and tried both ways, disabled cache etc, still having issues.  Any ideas?
Title: Re: How to resolve PHPSESSID.
Post by: Kindred on January 30, 2015, 03:42:14 PM
the phpsessID is inserted for guests. yes. this is as intended.

However, it looks like you are trying to use the so called "SEF" URLS...    don't. Turn that off. It is pointless, confusing and likely to cause issues.
Title: Re: How to resolve PHPSESSID.
Post by: wing on February 03, 2015, 10:35:35 AM
Thank you for the reply.  I have not turned SEF off.

Hopefully that solves my issue.  I understand the phpsession id is suppose to be and intended to be inserted, but it was / is causing the issue where the links do not work and the user is forwarded to the wrong URL because of it.

Anyways, hopefully turning off SEF fixes that .....
Title: Re: How to resolve PHPSESSID.
Post by: Kindred on February 03, 2015, 10:48:52 AM
http://wiki.simplemachines.org/smf/SMF2.0:Features_and_Options
Search engine friendly URLs - When enabled, queryless URLs are used for forum pages. This means they look like ../index.php/topic,1.0.html instead of ../index.php?topic=1.0. This option was introduced in order to help search engines index forum pages, but there is no longer any reason to use it, as search engines are now capable of indexing both formats. The queryless URL format only works for Apache and Lighttpd.
Title: Re: How to resolve PHPSESSID.
Post by: Biology Forums on September 10, 2017, 11:24:37 AM
Thanks for the fix, was looking for this everywhere. I even tried using REGEX via .htaccess.